How should senders handle gray-area data sources responsibly?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
You've got a pile of business cards from a conference three years ago. Or a spreadsheet from a partner who "highly likely they opted in." Or a list scraped from public LinkedIn profiles. These are gray-area data sources, and they're riskier than they look.
The honest test: would this person recognize your name in their inbox and feel like they asked to hear from you? If the answer is "probably not," you're carrying real risk even if you can technically argue consent existed at some point.
The responsible path before mailing is a re-permission campaign. Send a single email from your domain explaining who you are and asking them to confirm they want to hear from you. Yes, you'll lose most of the list. That's fine. The people who confirm are actually worth mailing. The rest were never going to convert and would only hurt your sender reputation.
Document your reasoning. If a regulator asks why you emailed someone who later filed a complaint, "we ran a re-permission campaign in [month] and they confirmed" is defensible. "We inherited this list from a 2018 trade show" is not.
One more thing: validate the list before you even start re-permissioning. Sending to dead addresses and spam traps to ask "do you want to hear from us?" will damage your reputation before you get a single response. Review My Emails' list cleaning can catch those before they cause problems.
If you want to understand what valid consent actually looks like, that's worth reading before you decide how to handle a gray-area source.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.